RU2637997C1 - Система и способ обнаружения вредоносного кода в файле - Google Patents

Система и способ обнаружения вредоносного кода в файле Download PDF

Info

Publication number
RU2637997C1
RU2637997C1 RU2016136224A RU2016136224A RU2637997C1 RU 2637997 C1 RU2637997 C1 RU 2637997C1 RU 2016136224 A RU2016136224 A RU 2016136224A RU 2016136224 A RU2016136224 A RU 2016136224A RU 2637997 C1 RU2637997 C1 RU 2637997C1
Authority
RU
Russia
Prior art keywords
signature
execution
log
type
file
Prior art date
Application number
RU2016136224A
Other languages
English (en)
Russian (ru)
Inventor
Максим Юрьевич Головкин
Алексей Владимирович Монастырский
Владислав Валерьевич Пинтийский
Михаил Александрович Павлющик
Виталий Владимирович Бутузов
Дмитрий Валериевич Карасовский
Original Assignee
Акционерное общество "Лаборатория Касперского"
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Акционерное общество "Лаборатория Касперского" filed Critical Акционерное общество "Лаборатория Касперского"
Priority to RU2016136224A priority Critical patent/RU2637997C1/ru
Priority to US15/431,162 priority patent/US10460099B2/en
Priority to JP2017098800A priority patent/JP6842367B2/ja
Priority to EP17176069.7A priority patent/EP3293660A1/en
Priority to CN201710452788.3A priority patent/CN107808094B/zh
Application granted granted Critical
Publication of RU2637997C1 publication Critical patent/RU2637997C1/ru

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)
RU2016136224A 2016-09-08 2016-09-08 Система и способ обнаружения вредоносного кода в файле RU2637997C1 (ru)

Priority Applications (5)

Application Number Priority Date Filing Date Title
RU2016136224A RU2637997C1 (ru) 2016-09-08 2016-09-08 Система и способ обнаружения вредоносного кода в файле
US15/431,162 US10460099B2 (en) 2016-09-08 2017-02-13 System and method of detecting malicious code in files
JP2017098800A JP6842367B2 (ja) 2016-09-08 2017-05-18 ファイル中の悪意のあるコードの検出システム及び方法
EP17176069.7A EP3293660A1 (en) 2016-09-08 2017-06-14 System and method of detecting malicious code in files
CN201710452788.3A CN107808094B (zh) 2016-09-08 2017-06-15 检测文件中的恶意代码的系统和方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
RU2016136224A RU2637997C1 (ru) 2016-09-08 2016-09-08 Система и способ обнаружения вредоносного кода в файле

Publications (1)

Publication Number Publication Date
RU2637997C1 true RU2637997C1 (ru) 2017-12-08

Family

ID=60581263

Family Applications (1)

Application Number Title Priority Date Filing Date
RU2016136224A RU2637997C1 (ru) 2016-09-08 2016-09-08 Система и способ обнаружения вредоносного кода в файле

Country Status (4)

Country Link
US (1) US10460099B2 (enExample)
JP (1) JP6842367B2 (enExample)
CN (1) CN107808094B (enExample)
RU (1) RU2637997C1 (enExample)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2757807C1 (ru) * 2020-08-24 2021-10-21 Акционерное общество "Лаборатория Касперского" Система и способ обнаружения вредоносного кода в исполняемом файле

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3070076B1 (fr) * 2017-08-09 2019-08-09 Idemia Identity And Security Procede de protection d'un dispositif electronique contre des attaques par injection de faute
US10810099B2 (en) 2017-09-11 2020-10-20 Internatinal Business Machines Corporation Cognitive in-memory API logging
KR101976992B1 (ko) * 2017-11-16 2019-05-10 숭실대학교산학협력단 시그니처 추출을 이용한 분석회피기법 자동 인식 장치 및 그 방법
US11250123B2 (en) * 2018-02-28 2022-02-15 Red Hat, Inc. Labeled security for control flow inside executable program code
US10922409B2 (en) * 2018-04-10 2021-02-16 Microsoft Technology Licensing, Llc Deep reinforcement learning technologies for detecting malware
US11017078B2 (en) 2018-04-24 2021-05-25 Microsoft Technology Licensing, Llc Environmentally-trained time dilation
US10965444B2 (en) * 2018-04-24 2021-03-30 Microsoft Technology Licensing, Llc Mitigating timing attacks via dynamically triggered time dilation
CN110717180B (zh) * 2018-07-13 2021-09-28 北京安天网络安全技术有限公司 基于自定位行为的恶意文档检测方法、系统及存储介质
CN109492391B (zh) * 2018-11-05 2023-02-28 腾讯科技(深圳)有限公司 一种应用程序的防御方法、装置和可读介质
EP3674940B1 (en) * 2018-12-28 2024-05-29 AO Kaspersky Lab System and method of forming a log when executing a file with vulnerabilities in a virtual machine
RU2724790C1 (ru) * 2018-12-28 2020-06-25 Акционерное общество "Лаборатория Касперского" Система и способ формирования журнала при исполнении файла с уязвимостями в виртуальной машине
WO2020180298A1 (en) * 2019-03-05 2020-09-10 Intel Corporation Deterministic trusted executed container through managed runtime language metadata
CN113268726B (zh) * 2020-02-17 2023-10-20 华为技术有限公司 程序代码执行行为的监控方法、计算机设备
US11775640B1 (en) * 2020-03-30 2023-10-03 Amazon Technologies, Inc. Resource utilization-based malicious task detection in an on-demand code execution system
CN111506437A (zh) * 2020-03-31 2020-08-07 北京安码科技有限公司 基于windows原始调用接口的靶场应用程序调用方法、系统、电子设备及存储介质
EP3926470B1 (en) * 2020-06-19 2023-08-16 AO Kaspersky Lab Emulator and emulation method
US11636203B2 (en) 2020-06-22 2023-04-25 Bank Of America Corporation System for isolated access and analysis of suspicious code in a disposable computing environment
US11797669B2 (en) 2020-06-22 2023-10-24 Bank Of America Corporation System for isolated access and analysis of suspicious code in a computing environment
US11880461B2 (en) 2020-06-22 2024-01-23 Bank Of America Corporation Application interface based system for isolated access and analysis of suspicious code in a computing environment
US11269991B2 (en) 2020-06-22 2022-03-08 Bank Of America Corporation System for identifying suspicious code in an isolated computing environment based on code characteristics
US11574056B2 (en) 2020-06-26 2023-02-07 Bank Of America Corporation System for identifying suspicious code embedded in a file in an isolated computing environment
CN113918941A (zh) * 2020-07-07 2022-01-11 华为技术有限公司 异常行为检测的方法、装置、计算设备和存储介质
US20230244787A1 (en) * 2022-01-28 2023-08-03 Palo Alto Networks, Inc. System and method for detecting exploit including shellcode
US12242609B2 (en) * 2022-03-29 2025-03-04 Acronis International Gmbh Exact restoration of a computing system to the state prior to infection
US12373327B2 (en) * 2022-04-28 2025-07-29 Twilio Inc. Data logging for API usage analytics
US12333008B2 (en) * 2022-08-31 2025-06-17 Crowdstrike, Inc. Emulation-based malware detection
CN119106417B (zh) * 2024-11-11 2025-03-11 开元华创科技(集团)有限公司 用于应用程序的安全检测方法、系统及存储介质

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7568233B1 (en) * 2005-04-01 2009-07-28 Symantec Corporation Detecting malicious software through process dump scanning
US7664626B1 (en) * 2006-03-24 2010-02-16 Symantec Corporation Ambiguous-state support in virtual machine emulators
US7814544B1 (en) * 2006-06-22 2010-10-12 Symantec Corporation API-profile guided unpacking
WO2011018271A1 (en) * 2009-08-11 2011-02-17 F-Secure Corporation Malware detection
WO2012027669A1 (en) * 2010-08-26 2012-03-01 Verisign, Inc. Method and system for automatic detection and analysis of malware
RU2491615C1 (ru) * 2012-02-24 2013-08-27 Закрытое акционерное общество "Лаборатория Касперского" Система и способ формирования записей для обнаружения программного обеспечения
US20150347745A1 (en) * 2014-05-28 2015-12-03 The Industry & Academic Cooperation In Chungnam National University (Iac) Method for extracting executable code of application using memory dump
US9355247B1 (en) * 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7779472B1 (en) 2005-10-11 2010-08-17 Trend Micro, Inc. Application behavior based malware detection
US20100031353A1 (en) * 2008-02-04 2010-02-04 Microsoft Corporation Malware Detection Using Code Analysis and Behavior Monitoring
US20160012223A1 (en) * 2010-10-19 2016-01-14 Cyveillance, Inc. Social engineering protection appliance
US20100169972A1 (en) * 2008-12-31 2010-07-01 Microsoft Corporation Shared repository of malware data
US9213838B2 (en) * 2011-05-13 2015-12-15 Mcafee Ireland Holdings Limited Systems and methods of processing data associated with detection and/or handling of malware
RU2011138462A (ru) * 2011-09-20 2013-04-10 Закрытое акционерное общество "Лаборатория Касперского" Использование решений пользователей для обнаружения неизвестных компьютерных угроз
RU2472215C1 (ru) * 2011-12-28 2013-01-10 Закрытое акционерное общество "Лаборатория Касперского" Способ выявления неизвестных программ с использованием эмуляции процесса загрузки
US9092625B1 (en) * 2012-07-03 2015-07-28 Bromium, Inc. Micro-virtual machine forensics and detection
US9471783B2 (en) * 2013-03-15 2016-10-18 Mcafee, Inc. Generic unpacking of applications for malware detection
CN104021346B (zh) * 2014-06-06 2017-02-22 东南大学 基于程序流程图的Android恶意软件检测方法
CN107004088B (zh) 2014-12-09 2020-03-31 日本电信电话株式会社 确定装置、确定方法及记录介质
US10341355B1 (en) * 2015-06-23 2019-07-02 Amazon Technologies, Inc. Confidential malicious behavior analysis for virtual computing resources
CN105760787B (zh) * 2015-06-30 2019-05-31 卡巴斯基实验室股份制公司 用于检测随机存取存储器中的恶意代码的系统及方法

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7568233B1 (en) * 2005-04-01 2009-07-28 Symantec Corporation Detecting malicious software through process dump scanning
US7664626B1 (en) * 2006-03-24 2010-02-16 Symantec Corporation Ambiguous-state support in virtual machine emulators
US7814544B1 (en) * 2006-06-22 2010-10-12 Symantec Corporation API-profile guided unpacking
WO2011018271A1 (en) * 2009-08-11 2011-02-17 F-Secure Corporation Malware detection
WO2012027669A1 (en) * 2010-08-26 2012-03-01 Verisign, Inc. Method and system for automatic detection and analysis of malware
RU2491615C1 (ru) * 2012-02-24 2013-08-27 Закрытое акционерное общество "Лаборатория Касперского" Система и способ формирования записей для обнаружения программного обеспечения
US9355247B1 (en) * 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US20150347745A1 (en) * 2014-05-28 2015-12-03 The Industry & Academic Cooperation In Chungnam National University (Iac) Method for extracting executable code of application using memory dump

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2757807C1 (ru) * 2020-08-24 2021-10-21 Акционерное общество "Лаборатория Касперского" Система и способ обнаружения вредоносного кода в исполняемом файле

Also Published As

Publication number Publication date
US10460099B2 (en) 2019-10-29
CN107808094A (zh) 2018-03-16
JP6842367B2 (ja) 2021-03-17
CN107808094B (zh) 2021-06-04
JP2018041438A (ja) 2018-03-15
US20180068115A1 (en) 2018-03-08

Similar Documents

Publication Publication Date Title
RU2637997C1 (ru) Система и способ обнаружения вредоносного кода в файле
JP2018041438A5 (enExample)
US7603713B1 (en) Method for accelerating hardware emulator used for malware detection and analysis
RU2514141C1 (ru) Способ эмуляции вызовов системных функций для обхода средств противодействия эмуляции
RU2510074C2 (ru) Система и способ проверки исполняемого кода перед его выполнением
US10146938B2 (en) Method, apparatus and virtual machine for detecting malicious program
US8516589B2 (en) Apparatus and method for preventing virus code execution
Volckaert et al. Cloning your gadgets: Complete ROP attack immunity with multi-variant execution
US9811663B2 (en) Generic unpacking of applications for malware detection
RU2628921C1 (ru) Система и способ выполнения антивирусной проверки файла на виртуальной машине
US9189630B1 (en) Systems and methods for active operating system kernel protection
EP2610774A1 (en) System and method for detecting malware targeting the boot process of a computer
RU2514142C1 (ru) Способ повышения эффективности работы аппаратного ускорения эмуляции приложений
RU2553056C2 (ru) Система и способ сохранения состояния эмулятора и его последующего восстановления
Bojinov et al. Address space randomization for mobile devices
US11609993B2 (en) Emulator and emulation method
Kawakoya et al. Api chaser: Taint-assisted sandbox for evasive malware analysis
EP3926470A1 (en) Emulator and emulation method
RU2585978C2 (ru) Способ вызова системных функций в условиях использования средств защиты ядра операционной системы
EP3293660A1 (en) System and method of detecting malicious code in files
RU2596577C2 (ru) Способ создания обработчика системных вызовов
Kawakoya et al. Stealth loader: Trace-free program loading for analysis evasion
EP2866167A1 (en) System and method for preserving and subsequently restoring emulator state